diff --git a/sso.js b/sso.js
index eca0d34..4e7a8a0 100644
--- a/sso.js
+++ b/sso.js
@@ -82,19 +82,15 @@ app.post("/api/v1/sso/kcauth", async (req, res) => {
     const publicKeyLanding = fs.readFileSync(`./BMA.pub.pem`, "utf8");
     const clientSecret = process.env.KC_CLIENT_SECRET;
     const clientId = process.env.KC_CLIENT_ID;
+    const username = req.body.uid;
 
     const cookies = req.cookies;
     const tokenSSO = cookies[cookieName];
 
-    if (!tokenSSO) {
+    if (!tokenSSO && !uid) {
       res.status(401).send("Unauthorized");
       return;
-    }
-
-    const oldssotoken = cookies['oldssotoken'];
-
-    if (tokenSSO !== oldssotoken) {
-
+    } else if (tokenSSO) {
       let decodedToken = "";
       if (useBMA) {
         decodedToken = jwt.decode(tokenSSO);
@@ -104,8 +100,14 @@ app.post("/api/v1/sso/kcauth", async (req, res) => {
 
       let d = JSON.parse(JSON.stringify(decodedToken));
       // console.log("==== username from cookies ====", d);
-      const username = d.username;
+      username = d.username;
 
+    }
+
+    const oldssotoken = cookies['oldssotoken'];
+    const oldcid = cookies['oldcid'];
+
+    if (tokenSSO !== oldssotoken && username !== oldcid) {
       // create body for admin token
       let body = {
         client_id: clientId,
@@ -156,6 +158,12 @@ app.post("/api/v1/sso/kcauth", async (req, res) => {
         httpOnly: true,
       });
 
+      res.cookie('oldcid', username, {
+        maxAge: 1000 * 60 * 60 * 24, // กำหนด timeout หน่วยเป็น millisecond
+        path: "/",
+        httpOnly: true,
+      });
+
       res.status(200).send(tokenResponse.data);
     } else {
       res.status(200).send({ isLogin: true });